river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: Jtreg test suite certificates
Date Mon, 06 Feb 2012 07:23:13 GMT
Peter Firmstone wrote:
> Good news,
>
> It's fixed!  Turns out cloning the existing valid certs was a bad 
> idea, the keystore got confused and returned the wrong cert, that's 
> all the problem was.  Generating keys and certs is now an automated 
> script too, it works (at least on Solaris).
>
> Perhaps in February 2022, when the certs need to be regenerated again, 
> I can be as helpful for the next guy as you were for me ;)
>
> N.B. Running the jtreg tests helped me fix a couple of concurrency 
> bugs and some corner cases in my new policy provider,

Just to clarify the concurrency bugs weren't in the policy provider, 
only the corner cases, which dealt with policy delegation and something 
else I can't remember right now.

> so these tests are still of high value.  Oh and the jtreg scripts are 
> now Java 6 compatible.
>
> Now all I have to do is go run all the jtreg and qa tests again and 
> see if I've broken anything!
>
> Cheers & thanks,
>
> Peter.
>
> bash-3.00$ ant jtreg
> Buildfile: build.xml
>
> jtreg:
>    [mkdir] Created dir: 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>     [move] Moving 6 files to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>     [move] Moving 1 file to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>    [jtreg] Test results: passed: 1
>    [jtreg] Report written to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTreport/html/report.html

>
>    [jtreg] Results written to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTwork
>     [move] Moving 6 files to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib
>     [move] Moving 1 file to 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/lib-ext
>   [delete] Deleting directory 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/JTlib-tmp
>   [delete] Deleting: 
> /opt/src/River_Fixed_2nd_Try/peterConcurrentPolicy/qa/jtreg/test.props
>
> BUILD SUCCESSFUL
> Total time: 1 minute 25 seconds
>
> bash-3.00$ keystore.sh
> + rm ./keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias clientDSA -dname CN=clientDSA -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias clientRSA1 -dname CN=clientRSA1, C=US 
> -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias clientRSA2 -dname CN=clientRSA2 -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias serverDSA -dname CN=serverDSA, C=US 
> -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias serverRSA -dname CN=serverRSA -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias noPerm -dname CN=noPerm -keyalg DSA
> + rm ./truststore
> + cp ./keystore ./truststore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias notTrusted -dname CN=notTrusted -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias clientDSA2 -dname CN=clientDSA2 -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -certreq -alias clientDSA2 -file clientDSA2.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -genkey -alias clientDSA2expired -dname CN=clientDSA2 
> -keyalg DSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -certreq -alias clientDSA2expired -file 
> clientDSA2expired.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -genkey -alias serverRSA2 -dname CN=serverRSA2 -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -certreq -alias serverRSA2 -file serverRSA2.request
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -genkey -alias serverRSA2expired -dname CN=serverRSA2 
> -keyalg RSA
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -certreq -alias serverRSA2expired -file 
> serverRSA2expired.request
> + set +x
> Sign clientDSA2.req, serverRSA2.req, clientDSA2expired.req and 
> serverRSA2expired.req, then import them:
> expired certificates need one day to expire before testing.
> + ../../../../../certs/run-ca.sh -CA ./ca.properties
> + ../../../../../certs/run-ca.sh -CA ./ca1.properties
> + ../../../../../certs/run-ca.sh -CR ./ca.properties
> + ../../../../../certs/run-ca.sh -CR ./ca1.properties
> + ../../../../../certs/run-ca.sh -CR ./serverRSA2expired.properties
> + ../../../../../certs/run-ca.sh -CR ./clientDSA2expired.properties
> + keytool -keystore ./truststore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias ca -file ca.cert
> Certificate was added to keystore
> + keytool -keystore ./truststore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias ca -file ca.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias ca1 -file ca1.cert
> Certificate was added to keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias clientDSA2 -file clientDSA2.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -import -noprompt -alias clientDSA2expired -file 
> clientDSA2expired.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 3650 -import -noprompt -alias serverRSA2 -file serverRSA2.chain
> Certificate reply was installed in keystore
> + keytool -keystore ./keystore -storepass keypass -keypass keypass 
> -validity 1 -import -noprompt -alias serverRSA2expired -file 
> serverRSA2expired.chain
> Certificate reply was installed in keystore
> bash-3.00$
>
> Tim Blackman wrote:
>> On Feb 5, 2012, at 12:44 AM, Peter Firmstone wrote:
>>
>>  
>>> Well, here's the bad news; the certificate has expired, but the 
>>> tests still fail.  This is the first time these tests have been run 
>>> under jdk 1.6, to my knowledge at least.
>>>
>>> The test expects jeri to throw a ConnectIOException, but it doesn't.
>>>
>>> The good news is, when the server certificate has expired, an 
>>> IOException is thrown as expected.  I have to comment out:  "throw 
>>> new FailedException(" in TestRMI for the expired client test, or 
>>> FailedException will be thrown before the expired server certificate 
>>> is is tested.
>>>
>>> This could indicate the ServerAuthManager could have a problem, 
>>> since the ClientAuthManager is behaving correctly?
>>>     
>


Mime
View raw message